Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2024 08:06
Behavioral task
behavioral1
Sample
Fatality.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Fatality.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Server.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
Server.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
injector.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
injector.exe
Resource
win10v2004-20241007-en
General
-
Target
Server.exe
-
Size
43KB
-
MD5
6fd38643354ce9c9af962154cd79c03e
-
SHA1
e7716fa97f92addc3482db44f08125745d35ce92
-
SHA256
ded006de19d1f8888efbac3b6088acca5a1f2bf3e9aceb0bf4a68508a9356c5b
-
SHA512
752cbdbccfb479fc03fc4386bc588c49ff4cc766cfda41840dfa3af2cd418d76ad3135fd499f558f6e1973f4494d20ba579832010aacf8557e29f29e2ea54546
-
SSDEEP
384:THZyT36Nkli0yizcpSQOWpeMVOaEnxqzVmzkIij+ZsNO3PlpJKkkjh/TzF7pWn15:T5R6ABiopSQOWpeeOxMiuXQ/oQUM+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
???? 10 ??? ??????
0.tcp.ngrok.io:10940
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Server.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe System.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe System.exe -
Executes dropped EXE 1 IoCs
pid Process 4620 System.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\System.exe\" .." System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\System.exe\" .." System.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 26 0.tcp.ngrok.io 48 0.tcp.ngrok.io 69 0.tcp.ngrok.io 78 0.tcp.ngrok.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language System.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4908 Server.exe 4620 System.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 4620 System.exe Token: 33 4620 System.exe Token: SeIncBasePriorityPrivilege 4620 System.exe Token: 33 4620 System.exe Token: SeIncBasePriorityPrivilege 4620 System.exe Token: 33 4620 System.exe Token: SeIncBasePriorityPrivilege 4620 System.exe Token: 33 4620 System.exe Token: SeIncBasePriorityPrivilege 4620 System.exe Token: 33 4620 System.exe Token: SeIncBasePriorityPrivilege 4620 System.exe Token: 33 4620 System.exe Token: SeIncBasePriorityPrivilege 4620 System.exe Token: 33 4620 System.exe Token: SeIncBasePriorityPrivilege 4620 System.exe Token: 33 4620 System.exe Token: SeIncBasePriorityPrivilege 4620 System.exe Token: 33 4620 System.exe Token: SeIncBasePriorityPrivilege 4620 System.exe Token: 33 4620 System.exe Token: SeIncBasePriorityPrivilege 4620 System.exe Token: 33 4620 System.exe Token: SeIncBasePriorityPrivilege 4620 System.exe Token: 33 4620 System.exe Token: SeIncBasePriorityPrivilege 4620 System.exe Token: 33 4620 System.exe Token: SeIncBasePriorityPrivilege 4620 System.exe Token: 33 4620 System.exe Token: SeIncBasePriorityPrivilege 4620 System.exe Token: 33 4620 System.exe Token: SeIncBasePriorityPrivilege 4620 System.exe Token: 33 4620 System.exe Token: SeIncBasePriorityPrivilege 4620 System.exe Token: 33 4620 System.exe Token: SeIncBasePriorityPrivilege 4620 System.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4908 wrote to memory of 4620 4908 Server.exe 92 PID 4908 wrote to memory of 4620 4908 Server.exe 92 PID 4908 wrote to memory of 4620 4908 Server.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Roaming\System.exe"C:\Users\Admin\AppData\Roaming\System.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD56fd38643354ce9c9af962154cd79c03e
SHA1e7716fa97f92addc3482db44f08125745d35ce92
SHA256ded006de19d1f8888efbac3b6088acca5a1f2bf3e9aceb0bf4a68508a9356c5b
SHA512752cbdbccfb479fc03fc4386bc588c49ff4cc766cfda41840dfa3af2cd418d76ad3135fd499f558f6e1973f4494d20ba579832010aacf8557e29f29e2ea54546